Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2024-51301
Publication date:
30/10/2024
In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the packet_monitor function.
Severity CVSS v4.0: Pending analysis
Last modification:
10/04/2025

CVE-2024-51257
Publication date:
30/10/2024
DrayTek Vigor3900 1.5.1.3 allows attackers to inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doCertificate function.
Severity CVSS v4.0: Pending analysis
Last modification:
10/04/2025

CVE-2024-51298
Publication date:
30/10/2024
In Draytek Vigor3900 1.5.1.3, attackers can inject malicious commands into mainfunction.cgi and execute arbitrary commands by calling the doGRETunnel function.
Severity CVSS v4.0: Pending analysis
Last modification:
10/04/2025

CVE-2024-33699
Publication date:
30/10/2024
The LevelOne WBR-6012 router's web application has a vulnerability in its firmware version R0.40e6, allowing attackers to change the administrator password and gain higher privileges without the current password.
Severity CVSS v4.0: Pending analysis
Last modification:
08/11/2024

CVE-2024-33700
Publication date:
30/10/2024
The LevelOne WBR-6012 router firmware R0.40e6 suffers from an input validation vulnerability within its FTP functionality, enabling attackers to cause a denial of service through a series of malformed FTP commands. This can lead to device reboots and service disruption.
Severity CVSS v4.0: Pending analysis
Last modification:
08/11/2024

CVE-2024-50353
Publication date:
30/10/2024
ICG.AspNetCore.Utilities.CloudStorage is a collection of cloud storage utilities to assist with the management of files for cloud upload. Users of this library that set a duration for a SAS Uri with a value other than 1 hour may have generated a URL with a duration that is longer, or shorter than desired. Users not implemented SAS Uri's are unaffected. This issue was resolved in version 8.0.0 of the library.
Severity CVSS v4.0: Pending analysis
Last modification:
13/11/2024

CVE-2024-32946
Publication date:
30/10/2024
A vulnerability in the LevelOne WBR-6012 router's firmware version R0.40e6 allows sensitive information to be transmitted in cleartext via Web and FTP services, exposing it to network sniffing attacks.
Severity CVSS v4.0: Pending analysis
Last modification:
13/11/2024

CVE-2024-33603
Publication date:
30/10/2024
The LevelOne WBR-6012 router has an information disclosure vulnerability in its web application, which allows unauthenticated users to access a verbose system log page and obtain sensitive data, such as memory addresses and IP addresses for login attempts. This flaw could lead to session hijacking due to the device's reliance on IP address for authentication.
Severity CVSS v4.0: Pending analysis
Last modification:
13/11/2024

CVE-2024-33623
Publication date:
30/10/2024
A denial of service vulnerability exists in the Web Application functionality of LevelOne WBR-6012 R0.40e6. A specially crafted HTTP request can lead to a reboot. An attacker can send an HTTP request to trigger this vulnerability.
Severity CVSS v4.0: Pending analysis
Last modification:
13/11/2024

CVE-2024-33626
Publication date:
30/10/2024
The LevelOne WBR-6012 router contains a vulnerability within its web application that allows unauthenticated disclosure of sensitive information, such as the WiFi WPS PIN, through a hidden page accessible by an HTTP request. Disclosure of this information could enable attackers to connect to the device's WiFi network.
Severity CVSS v4.0: Pending analysis
Last modification:
13/11/2024

CVE-2024-31152
Publication date:
30/10/2024
The LevelOne WBR-6012 router with firmware R0.40e6 is vulnerable to improper resource allocation within its web application, where a series of crafted HTTP requests can cause a reboot. This could lead to network service interruptions.
Severity CVSS v4.0: Pending analysis
Last modification:
13/11/2024

CVE-2024-31151
Publication date:
30/10/2024
A security flaw involving hard-coded credentials in LevelOne WBR-6012&amp;#39;s web services allows attackers to gain unauthorized access during the first 30 seconds post-boot. Other vulnerabilities can force a reboot, circumventing the initial time restriction for exploitation.The password string can be found at addresses 0x 803cdd0f and 0x803da3e6:<br /> <br /> 803cdd0f 41 72 69 65 ds "AriesSerenaCairryNativitaMegan"<br /> 73 53 65 72 <br /> 65 6e 61 43<br /> ...<br /> <br /> It is referenced by the function at 0x800b78b0 and simplified in the pseudocode below:<br /> <br /> if (is_equal = strcmp(password,"AriesSerenaCairryNativitaMegan"){<br /> ret = 3;}<br /> <br /> Where 3 is the return value to user-level access (0 being fail and 1 being admin/backdoor).<br /> <br /> While there&amp;#39;s no legitimate functionality to change this password, once authenticated it is possible manually make a change by taking advantage of TALOS-2024-XXXXX using HTTP POST paramater "Pu" (new user password) in place of "Pa" (new admin password).
Severity CVSS v4.0: Pending analysis
Last modification:
03/11/2025
Subscribe to Vulnerabilities